Hello! On Fri, Jan 28, 2022 at 01:17:34PM -0500, hablutzel1 wrote:
> Hi, while testing the latest NGINX source code around ~1.21.7, I’ve observed > that enabling "ssl_stapling" without configuring a “resolver”, makes NGINX > cache the OCSP responder IP indefinitely, so, if the CA later changes the > OCSP responder IP, NGINX is still going to try to get OCSP queries from the > old IP (possibly inoperative now), irrespective of the DNS record TTL. > > Now, I'm aware of > https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling > saying: > > > For a resolution of the OCSP responder hostname, the resolver directive > should also be specified. > > And effectively, using the “resolver” directive, OCSP DNS records are > refreshed, but it is not obvious at all what is going to happen if a > "resolver" is not configured. Is there any documentation on this? > Additionally, what is the reason to not use the default system DNS resolvers > in the standard way (i.e. respecting DNS TTLs) instead of performing the > resolution only once when no "resolver" is configured? Standard system resolver does not provide non-blocking interface, which makes it unusable for nginx at runtime. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
